Qilin

Threat Actor updated 4 days ago (2024-11-29T13:52:25.072Z)
Download STIX
Preview STIX
Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to launch more sophisticated attacks. Notably, Qilin has demonstrated its potency through a successful attack on automotive giant Yanfeng using its namesake ransomware. Furthermore, researchers have discovered a new variant of the Qilin ransomware, dubbed Qilin.B, that exhibits advanced encryption techniques and enhanced defense evasion capabilities, targeting both Windows and Linux systems for double extortion schemes. Qilin's operations are multifaceted and often involve partnerships with initial access brokers (IABs) to execute their attacks. In one observed case, the Qilin ransomware gang breached its target via a VPN portal, demonstrating their advanced tactics. Despite this, the group has not been without setbacks. The rise of RansomHub seems to have come at the expense of LockBit, which had three times more successful attacks than Qilin in the second quarter. However, the fortunes of Qilin appear to be improving as they continue to expand their reach and improve their tactics. The group has also faced legal challenges. In August, Synnovis obtained a preliminary injunction from the English High Court against the Qilin ransomware group, Telegram, and a leak site to prevent the publication of stolen data. Following this injunction, Telegram blocked the channel used by Qilin to leak the data stolen from victims. Despite these obstacles, Qilin continues to pose a significant threat, as evidenced by an incident in June where the group published stolen data on its Tor leak site. As such, organizations must remain vigilant and proactive in their cybersecurity efforts to counteract the evolving threat posed by Qilin.
Description last updated: 2024-10-29T20:12:48.378Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ransomhub is a possible alias for Qilin. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campai
3
Octo Tempest is a possible alias for Qilin. Octo Tempest, also known as Scattered Spider or 0ktapus, is a notable threat actor group in the cybercrime landscape. The group, comprised of five individuals in their early 20s, has been linked to major data extortion campaigns against high-profile targets such as Caesars Entertainment and MGM, oft
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Extortion
RaaS
Malware
Linux
Credentials
Ransom
Encryption
Chrome
Vpn
Data Leak
Cybercrime
Phishing
Windows
Esxi
Rust
Telegram
Nhs
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Qilin. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
4
The Black Basta Malware is associated with Qilin. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The Hive Malware is associated with Qilin. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Qilin. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
3
The BianLian Threat Actor is associated with Qilin. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directoryUnspecified
2
The Scattered Spider Threat Actor is associated with Qilin. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with thUnspecified
2
Source Document References
Information about the Qilin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
a month ago
InfoSecurity-magazine
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
Malwarebytes
3 months ago
Checkpoint
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
4 months ago
Securityaffairs
4 months ago
BankInfoSecurity
5 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
5 months ago
Securityaffairs
5 months ago